Hi, on Wed, Jul 26, 2006 at 21:00:21 -0500, Todd Troxell wrote:
> > Should we declare it a feature and call violations.ignore.d > > a deescalation filter instead? > > The majority of emails I get about logcheck are confused admins wondering why > a rulefile doesn't work, when it's just because lines are being pulled by > violations.d. > > Eh, It definitely makes things more complicated. The benefit would not be > great for me, but I tend to read logcheck mails without really caring about > which level things show up under. I may be a bad judge on this one, but I'd > like to see it changed. Of course, I'm open to discussion about it. Yes, I don't care that much about the level either and I think the reason is that all the stuff that so many harmless failure messages, anything involving illegal or attack in the user- or hostname etc. shows up there. And with violations.ignore.d completely filtering matches one can't do anything about it - making them deescalation filters would allow this and better the situation. Given that it would make things more tedious as one would have to have rules twice (in ignore.d.* and violations.ignore.d (and keep them in sync), I wonder whether it would make sense to do away with the overly broad rules in violations.d. elmar -- .'"`. /"\ | :' : Elmar Hoffmann <[EMAIL PROTECTED]> ASCII Ribbon Campaign \ / `. `' GPG key available via pgp.net against HTML email X `- & vCards / \
signature.asc
Description: Digital signature
_______________________________________________ Logcheck-devel mailing list [email protected] http://lists.alioth.debian.org/mailman/listinfo/logcheck-devel
